动态加载 APPWIZ.CPL 木马文件。
int __stdcall wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nShowCmd)
{
HDESK ThreadDesktop; // ebx
HDESK v5; // edi
DWORD CurrentThreadId; // eax
signed int LastError; // eax
int v8; // esi
HDESK DesktopW; // eax
signed int v10; // eax
DWORD CurrentProcessId; // eax
HMODULE LibraryW; // eax
FARPROC RunFODW; // eax
unsigned __int16 *v15; // [esp+0h] [ebp-10h]
DWORD pSessionId; // [esp+Ch] [ebp-4h] BYREF
ThreadDesktop = 0;
v5 = 0;
if ( !_wcsstr(lpCmdLine, L"/top-most") || !IsRudeAppPresent() )
goto LABEL_11;
CurrentThreadId = GetCurrentThreadId();
ThreadDesktop = GetThreadDesktop(CurrentThreadId);
if ( !ThreadDesktop )
{
LastError = GetLastError();
v8 = LastError;
if ( LastError > 0 )
v8 = (unsigned __int16)LastError | 0x80070000;
goto LABEL_26;
}
DesktopW = CreateDesktopW(L"FondueDesktop", 0, 0, 0, 0x10000000u, 0);
v5 = DesktopW;
if ( DesktopW && SetThreadDesktop(DesktopW) && SwitchDesktop(v5) )
{
LABEL_11:
HeapSetInformation(0, HeapEnableTerminationOnCorruption, 0, 0);
pSessionId = -1;
CurrentProcessId = GetCurrentProcessId();
if ( !ProcessIdToSessionId(CurrentProcessId, &pSessionId) || pSessionId )
{
v8 = CoInitialize(0);
if ( v8 >= 0 )
{
v8 = CoInitializeSecurity(0, -1, 0, 0, 3u, 3u, 0, 0, 0);
if ( v8 >= 0 )
{
LibraryW = LoadLibraryW(L"APPWIZ.CPL");
if ( LibraryW && (RunFODW = GetProcAddress(LibraryW, "RunFODW")) != 0 )
{
v8 = ((int (__thiscall *)(FARPROC, _DWORD, HINSTANCE, LPWSTR, int))RunFODW)(
RunFODW,
0,
hInstance,
lpCmdLine,
nShowCmd);
}
else
{
v8 = -2147024846;
if ( IsServerSku() )
ShowServerMessage(v15);
}
}
CoUninitialize();
}
}
else
{
v8 = -2147467259;
}
}
else
{
v10 = GetLastError();
v8 = v10;
if ( v10 > 0 )
v8 = (unsigned __int16)v10 | 0x80070000;
}
if ( ThreadDesktop )
{
SwitchDesktop(ThreadDesktop);
SetThreadDesktop(ThreadDesktop);
}
if ( v5 )
CloseDesktop(v5);
LABEL_26:
if ( (v8 & 0x1FFF0000) == 458752 )
return (unsigned __int16)v8;
return v8;
} |
发表于 2026-1-27 23:55:22
发表于 2026-1-28 10:32:07